[Samba] ldbadd with kerberos ticket => 00002020: Operation unavailable without authentication

Rowland Penny rowlandpenny241155 at gmail.com
Tue Sep 1 21:39:37 UTC 2015 

On 01/09/15 21:59, Quirin Maier wrote:
> Hi,
>
> I'd like to use ldbadd with kerberos authentication using samba
> 4.2.3-SerNet-Debian-7.jessie, but it seems authentication is not being
> processed. Executing...
>
> kinit Administrator at INTERNAL.DOMAIN.TLD -k -t /etc/admin.keytab
>
> root at dc01:/# klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: Administrator at INTERNAL.DOMAIN.TLD
>
> Valid starting     Expires            Service principal
> 09/01/15 20:36:16  09/02/15 06:36:16
>   krbtgt/INTERNAL.DOMAIN.TLD at INTERNAL.DOMAIN.TLD
> renew until 09/02/15 20:36:16
>
> root at dc01:/# ldbadd -k yes -H ldap://localhost << EOF
> dn: CN=Groups,DC=internal,DC=domain,DC=tld
> objectClass: container
> objectClass: top
> cn: Groups
> objectCategory:
> CN=Container,CN=Schema,CN=Configuration,DC=internal,DC=domain,DC=tld
> description: Default container for upgraded group accounts
> EOF
>
> results in:
> ERR: Operations error : "LDAP error 1 LDAP_OPERATIONS_ERROR -  <00002020:
> Operation unavailable without authentication> <>" on DN
> CN=Groups,DC=internal,DC=domain,DC=tld at block before line 6
>
> Anybody else who has the same problem? Or could somebody enlighten me, what
> I'm doing wrong here?
>
> btw: ldbadd -U DOMAIN/User%password ... works.
>
> Thanks in advance for any hint.
>
> Regards

OK, firstly I would create a user to use with ldb-tools instead of using 
Administrator:

samba-tool user create admin --random-password 
--description="Unprivileged user for ldb-tools"

Next, set user to not expire:

samba-tool user setexpiry admin --noexpiry

You now need to export the users keytab:

samba-tool domain exportkeytab /etc/admin.keytab --principal=admin

Now you have the keytab you can now run kinit and create the ticket cache:

kinit -F -k -t /etc/admin.keytab -c /tmp/krb5cc_admin admin at UREALM # 
<--change 'UREALM' to your uppercase realm name

finally you can run run ldbadd command:

ldbadd ldap://localhost --kerberos=yes --krb5-ccache=/tmp/krb5cc_admin 
<< EOF
......


HTH

Rowland

More information about the samba mailing list